-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Colleagues,
I am posting below the contents of an HTTP request (especially the
"Proxy-Authorization:" header the browser is sending) to which squid's
negotiate_kerberos_auth replies:
"ERROR: Negotiate Authentication validating user. Result: {result=BH,
notes={message: gss_acquire_cred() failed: No credentials were
supplied, or the credentials were unavailable or inaccessible..
unknown mech-code 0 for mech unknown; }
What's wrong with the contents of the header? Why does
negotiate_kerberos_auth not like it?
No. Time Source Destination Protocol Length Info
101 50.565800 10.14.143.228 10.14.140.9 HTTP 897 GET http://www.nasa.gov/ HTTP/1.1
Frame 101: 897 bytes on wire (7176 bits), 897 bytes captured (7176 bits)
Ethernet II, Src: Cisco_ce:9a:60 (00:17:5a:ce:9a:60), Dst: AsustekC_d9:90:67 (00:22:15:d9:90:67)
Internet Protocol Version 4, Src: 10.14.143.228 (10.14.143.228), Dst: 10.14.140.9 (10.14.140.9)
Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 3131 (3131), Seq: 7389, Ack: 24813, Len: 843
[2 Reassembled TCP Segments (2303 bytes): #100(1460), #101(843)]
Hypertext Transfer Protocol
GET http://www.nasa.gov/ HTTP/1.1\r\n
Accept: */*\r\n
Accept-Language: ru\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\n
Accept-Encoding: gzip, deflate\r\n
Proxy-Connection: Keep-Alive\r\n
Host: www.nasa.gov\r\n
Pragma: no-cache\r\n
Cookie: __utma=259910805.2084310783.1412579533.1412579533.1412579533.1; __utmz=259910805.1412579533.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n
[truncated] Proxy-Authorization: Negotiate YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVG
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 3 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
mechToken: 608204d606092a864886f71201020201006e8204c5308204...
krb5_blob: 608204d606092a864886f71201020201006e8204c5308204...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 20000000 (Mutual required)
0... .... .... .... .... .... .... .... = reserved: RESERVED bit off
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL authentication is REQUIRED
Ticket
Tkt-vno: 5
Realm: SIBPTUS.TRANSNEFT.RU
Server Name (Service and Instance): HTTP/proxy.sibptus.transneft.ru
Name-type: Service and Instance (2)
Name: HTTP
Name: proxy.sibptus.transneft.ru
enc-part des-cbc-md5
Encryption type: des-cbc-md5 (3)
enc-part: 6f43ba385aad8624bea2e0e2d9d1b4ad394a2330fa322d2a...
Authenticator des-cbc-md5
Encryption type: des-cbc-md5 (3)
Authenticator data: 55452dc45cbb32cd7ceafa12a3c4eeb28bb5a7d6fc0a37ca...
\r\n
[Full request URI: http://www.nasa.govhttp://www.nasa.gov/]
- --
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUNBGyAAoJEA2k8lmbXsY0W+kIAIvnTkXHrhuE8kKRNqPuDEEL
XP5F6fMif31XdcOWbIDmt+JQPUjQXHk6xuT6S0MuSsSSrFxg6LOcSmthZipxkNWy
fejPIiQe2sbpBLqdYqyuERbPtlLakASa0XeBf9iQYZ3AO9HbY21mOjBIWFrJ1tX8
sy9s5myhYVRQyIA03FUoT87nDMjJVZHie62iiHLEDwv4wARNEJ0pGjct904aam3a
JrUDfeyTCWeLoOCioEwCF8wAVnfuXbN5H/O1laefLPIFsb7zRtnRQMPxcGprvO29
bTyow2cQch4m8NjErgHDfeP2C6qqtV+dOBnapuIHuQHetdnw4ddRbClVYXalGqQ=
=gBRs
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
